Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2905
Views
0
Helpful
5
Replies

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate Services

dnsmss
Level 1
Level 1

‎11-29-2011 07:20 AM - edited ‎03-10-2019 06:35 PM

Hi,

I receive the following error message when the identity source within the identity policy, underpinning the ACS access service I have configured for EAP-TLS, is set to active directory (AD1):

“22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request”.

When I change the identity source to the certificate services profile that I created, then the WLAN client connection is successful. 

My interpretation of this, which could be completely wrong, is that ACS and WLAN client trust each other’s certificates, but EAP-TLS is incorrectly configured on the ACS server?

Any assistance would be greatly appreciated!

Thanks in Advance,
dnsMSS Support

Labels:
0 Helpful
5 Replies 5

jrabinow
Level 7
Level 7

‎11-29-2011 07:27 AM

This is as expected. Each rule in identity policy selects an identity source as its result.

for password based authentication it would be an indetity database (eg LDAP, AD, internal) or a sequence of databases

In the case of EAP-TLS there is no password based authenticatiion and so instead a certificate authentiction profile is selected as the result. This profile can define the following

- which field from the certificate is to be used to contain the username that will be utilized for the processing

- whether to do a binary lookup and comparison of the certificate in a selected AD or LDAP identity store

For any EAP-TLS authentication if there is no certificate based authenication enabled in the identity source result you will get the failure code you mentioned in your post

“22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request”.

0 Helpful

dnsmss
Level 1
Level 1
In response to jrabinow

‎11-29-2011 08:30 AM

Hi,

When the identity source is set to the certificate services profile I have x509 PKI authentication, but I want EAP-TLS authentication.

Are you suggesting that I need to create an identity store sequence to achieve this containing both the AD server and the certificate services profile?

Thanks!

0 Helpful

jrabinow
Level 7
Level 7
In response to dnsmss

‎11-29-2011 08:34 AM

If you are doing EAP-TLS then what are you using AD for? What data do you want to retrieve from it and what do you want to do with it?

0 Helpful

dnsmss
Level 1
Level 1
In response to jrabinow

‎11-29-2011 01:08 PM

Hi,

I’d like to configure ACS to authenticate and authorise users and computer against AD, which is my authoritative directory service. More specifically, I’d like to setup ACS as described in section 8 of the Cisco ACS 5.3 user guide – from page 8-38 onwards.

With the identity source to certificate profile, I don’t believe ACS is checking the status of the user or computer account in AD? For example, if the user account is locked but the certificate is valid, the connection will still be allowed because the certificate is valid.

Thanks!

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to dnsmss

‎12-01-2011 10:34 PM

You can check the attribute of the user if you are able to retreive it first. Here is a link to the attribute and the different values. You can setup a condition under you access policy that can check the value if it locked then you can deny access.

http://support.microsoft.com/kb/305144

Thanks,

Tarik Admani

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents